Well, there's my answer. Someone spoofing one of our email addresses and convincing someone else to send money transfers to a random @yahoo.com email address.
Now to wait for the message trace report from Exchange Online to prove they didn't actually originate from us.
@Jetengineweasel I guess not. Seems they run their own on-prem servers. And looking through the thread I can easily spot which emails weren't from us. And I have the proof in the Message trace report.
I don't have the originals with headers that they received to see where the mail originated from but I know it's not here since outbound SMTP is also blocked on our network.
But as a precaution I've replaced the local user's workstation and they've changed their password.
@devrandom next year im looking at blocking inbound messages witho it an spf record, and tagging anything without a hardfail with an ugly subject line tag. That kind of thing really helps on the defender side
A bunch of technomancers in the fediverse. Keep it fairly clean please. This arcology is for all who wash up upon it's digital shore.